Transcribed by ESO, translated by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
collection boxes. And then I would issue the command SNMP community. I'd community put in
the password. In this case, we're putting in the read-only password. And then the 13
references back to the access list 13. A couple other things to know about SNMP. Be sure and
don't use public, private, or secret. If so, just post it on the internet and let people
have fun with it. And be sure to use different strings for the read-only and write-only
communities. Remember, they can be cracked, especially if they're easy. So you need to use
strong passwords. And be sure and use a mixed alphanumeric strings. I typically like to use
about a 10-character password with numbers and capitals mixed in there. Make authentication
secure. There's two ways. You can type in the enable password. You can do enable password and
then the password. And then you can type in the enable password. And then the password
or you can do enable secret and then the password. I don't recommend using the enable
password. It's a very weak algorithm that encrypts the password. If you use enable secret,
you're using an MD5 one-way hash. And then the other thing I'd like to do here is I like
to use privilege levels. This is good for auxiliary, especially if you're going to connect
a modem for out-of-band management. And here I've given it privilege level 5. And that
means unless you know the enable password, the only thing you can do is you're going
to do is read only in the router commands. You can go into enable, but you can't save
and you can't make changes. As an administrator, though, you can put in a password later and
you can pass into true enable mode. Along with this, make sure that physical access
is highly restricted. Really, this should be one or two people should have key access.
Given 10 minutes and physical access to your router, I can compromise it and you would
never know the difference.
And Cisco will kindly give you the information on how to do that.
Yeah.
Not necessarily. You would reboot control break into the ROM mode. You can blank the
password at that point. You reload and you come back with the configuration. And then
you just put in whatever password you'd like.
It's really just as simple as that. It varies per model on how exactly you do it. And switches
are a little different than routers. But for all of them, it's pretty straightforward.
On Cisco's site, you just type in your model number and then recover password and it'll
bring up the information here.
There's two ways really to do authentication. You can do RADIUS and TACACS. In our environment,
we use RADIUS. So I've done the RADIUS example here.
The AAA new model is just how you tell the router, I'm now going to make all authentication
secure. In this case, I do AAA authentication, log on RADIUS local, which means that anyone
connecting in will first either be authenticated to the RADIUS server. And if they don't have
an account on the RADIUS server, then it goes to local authentication.
And then in this case, I now do username. And then I would type in my name here, which
would be Robert. And then whatever password, password. To here, you can also do privilege levels.
So if, for instance, you wanted to give a developer read only access so that he could
ton it into your router and then maybe ton that into the network itself, you could give
him only read only, but you could give your users a higher level of privilege.
Also in the logs, it now tells you who logged into your router and what changes they made.
That's kind of helpful
And then later in the command, you have to type in the RADIUS server host, which is
basically just an IP.
And then here I've used a shared key.
The Ping Positions or I pause theний if I get a notification or various ró gla Y Наber Steve, store,
The shared key, by the way, is not encrypted inside the configs.
Other things to know about authentication, no matter what you do,
if you're just typing in your password, it's in clear text.
So if someone is sitting there and watching, they can get your passwords fairly easily.
I would consider a one-time password method or considering using SSH.
The new iOS supports SSH.
I'm not really going to go into how to do that because that's a fairly complex topic.
But it's important.
Do what?
I still can't hear you.
Oh, it's 1.
Yeah, it's 1.x.
And then along with that, we want to audit our login attempts.
So we type in IP accounting and then IP account access violations.
And then this simply goes into the logs.
And then in this case, I put in...
I put in logging and then I would type in the IP for my syslog server if I hadn't done it previously.
You can also do SNMP traps if you're using, you know, some type of SNMP program like OpenView
or there's some freeware ones that we use that we like.
Okay, now we're ready to plug in a network cable and hook up to the Internet.
We're going to look at preventing spoofing, some DOS protection, NAT, is it good, is it bad.
We're going to look at the new firewall feature set available from 12x on.
It's just pretty nifty.
And you now also have IDS that you can do either local in the router or have it sent to an IDS product,
which, of course, Cisco will be happy to sell you.
Preventing spoofing.
This is a fairly simple access list here.
We have access list 109, deny IP, which is my internal.
And then two internals here, 172 and 10.
And then access list 101, permit IP any, any, which says any traffic is allowed in except internal traffic behind the router.
And then here I've applied it to the server.
Serial interfaces, IP access group instead of list.
I don't know why.
Cisco makes you do it that way.
101 referencing back to the access list.
And then in means for inbound traffic.
All access lists can go in or out.
So here we have a little detailed diagram of what's going on here.
Here we have the Internet passing into a border router, passing into an internal router, and then passing into our network here.
On the serial S01 interface, which is connecting between the two routers,
we're permitting traffic from the 142 network, and we're denying everything else.
And then this is all inbound to the S01, which is really outbound to the Internet.
That kind of makes sense.
And then on the interface serial 0 on the other router, here we have two different groups,
and this is basically just reversing what's allowed in versus what's allowed out.
And this is pretty standard here for most networks.
Spoofing continued.
IPSEF distributed.
And then interface serial, and then a number, and then you can do IP verify unicast reverse path.
This mitigates source address spoofing by checking that a packet's return path uses the same interface it arrived on.
Not appropriate for ISPs, but very helpful for us as just business people hooking up to the Internet.
DOS protection or prevention.
These particular access lists are good.
It's good to put on your router, and then if you come under attack, to go ahead and type the commands into your interface.
Access lists can take performance hits.
The more access lists that have to be processed by the packet, the slower your packets are inbound.
So this slide and the next slide, I like to have both of these access lists on my router, but not active.
And here we're basically just saying that all outbound ping responses are limited to 256 kilobytes.
And then in the next one, we're going to limit inbound TCP SYN packets.
So we're going to limit the packets to 8 kilobytes.
Nat.
Yeah.
How does the control of TCP packets compute or actively change in TCP packets?
You mean in the last slide?
Yeah.
In the last slide, it just looks at, it just, it allows only a certain amount of those TCP IP packets through.
For queues.
Yeah.
So it looks at them, and if it reaches its limit in the queue, it starts dropping them, and it just puts them into the bit bucket and ignores them.
So you don't necessarily stop the attack, but you're mitigating the attack on your router, and you allow business to continue.
Nat.
That's real good.
It hides your entire network behind one IP.
It allows you for control and monitoring of Internet usage.
Bad.
It may not work for all servers.
In this one particular instance, as we all go to Windows 2000.
As a, there we go.
Whoa.
As we go to Windows 2000, the Windows 2000 DNS servers have to be able to talk to the outside.
So in this case, you may have to open up holes in NAT, and we're going to look at that here in our slides and exactly how you would do that.
Also, email has to have a way to come through, and email does not work through NAT.
So here we have basic IP NAT commands.
Here we're setting up the pool, and in this case, I do IP NAT pool, and then I just have a particular name here.
In this case, it's just a random name.
And then outside IP, outside IP.
This can be a range, or it can be one.
Single IP.
Prefix link 30.
And then the next we do IP NAT inside source route map, and then a name.
So these commands, this IP NAT inside source command is going to connect into the next slide here.
So here we're setting up the route map.
So we have route map, a name, permit, and then the 10 is an access list, which is going to appear later.
And then we have match IP addresses to those access lists, which says only these IPs.
Pass through NAT.
Helpful if you have a group that you don't want to go out to the Internet.
And then we have an IP access list, an extended access list.
So over here, these are people who we're going to allow through our NAT, or if we want to allow specific services.
So in this case here, we're going to allow email.
So we have IP NAT inside source static TCP IP, internal IP, the port, which is 25.
Do the IP.
External IP.
And then port.
And then extendable simply means that it can handle multiple types of traffic.
It allows a service from the outside world to talk to your internal server.
I don't particularly like to do this command, and I only like to do it to DMZ servers,
unless someone feels good about opening up the Internet to their exchange server.
The firewall feature set has just now become available.
It's really great if you have branch offices that you're going to connect to the Internet.
You don't want to buy a firewall for them.
Cisco now allows you to buy a higher-priced software feature set.
You get a basic firewall.
It's not a great firewall.
I don't recommend it for your main office.
There is a performance hit, and typically it's good to have lots of memory in your routers as you use it.
This is a typical firewall feature set command.
Basically, we turn on the audit trail, and then we name what particular services we want to watch.
And in this case, I watch TCP, UDP, FTP, TFT.
And I can also use the IP address of the IP address of the IP address of the IP address of the IP address of the IP address of the IP address of the IP address.
The IDS feature set is also new.
It does network-based intrusion.
It's not as good as a host-based intrusion system.
It slows down traffic.
It's even worse, I think, really, than the firewall feature set,
because a firewall feature set only has to look at a packet.
The IDS has to think about a packet.
I typically would only use this on a bigger router.
If you were using 7200s or something like that.
And then in the same action here,
IP audit, info, action, alarm, drop, reset.
Which says, if it happens, you're going to note it.
You're going to take the following actions.
You're going to set off an alarm.
You're going to drop the packet.
And you're going to reset that particular connection.
And then the rest of them are logging.
You can also do anti-spam with this.
And in this case, this particular command, the IP audit, SNMTP, spam,
25 says, if an email is inbound and it goes to more than 25 people,
it's spam, it gets dropped.
Kind of nice.
Do what?
No, you can change it.
You can make it 10, 100.
It depends on what you really consider spam.
25 is the default.
Let's see.
Whoa.
Okay, we're a little off here on the projector.
I don't know what happened on this one.
The IP audit name is how this one begins.
And then it has a name, info list 99.
So now I'm going to use an access list.
In this particular case, I can say,
I don't want you to watch packets from my internal network.
Which is where, you know, no reason to slow these packets down
because I'm hopefully going to trust my internal traffic.
And then I'm going to permit anything else that comes through.
I'm going to say, I want you to look at it and I want you to monitor.
And, of course,
the IDS feature set and the firewall feature set
both have to be turned on
and they're turned on at the interface level.
So in this particular case,
FastEther00 happens to be connected to the internet.
I come on and I do IP audit.
The IDS info is actually the name
of whatever you call your IDS service.
And then for inbound traffic.
You can also do outbound traffic
depending on where you want to put it.
Now let's hook up a branch office.
Not that we would ever have those.
We're going to look at,
to office connection.
I'm going to talk about some other problems
that you may see on slower lines
like ISDN and dial-up.
And then what to do if you have more than 10 sites.
Why would we want to use the internet
to hook up two offices?
Well, it's a lot cheaper than hooking up a frame relay.
It's a lot easier to do.
You can protect the branch office traffic
using what we're going to look at here.
And it's fairly simple once you get it in place.
We're going to use encryption here.
So here we have CryptoMap.
We're going to give it a name, a number.
The name and number are irrelevant.
And then IPsec-ISEMKMP.
Set peer.
We're going to set the branch office IP.
And then we're going to do a set transform set encryption DES.
Now you can also do triple DES.
And then match address 101
is matching to the access list here at the bottom.
So here we have access list 101.
Permit IP.
Local IP.
Remote IP.
And this basically says that
only this IP is allowed to send encrypted traffic
to this router.
And then we're also going to set up the policy.
In this case, I'm using pre-shared keys,
which is authentication pre-shared.
Crypto-ISEM key.
And then I'm going to set the key
as whatever you want to make it.
Once again, the keys are in clear text
in the configs.
And then the address we're going to use,
the remote IP.
And then the pre-shared key
has to be the same on both sides, of course.
Problems you may see.
ISDN and dial-up are more complex.
The lines go up and down, of course,
because that's the reason we bought ISDNs.
We didn't want to have traffic continuously.
Workarounds for that,
you have to develop access lists
that can determine if the traffic is interesting
to turn back on the crypto tunnels.
Otherwise, you're just going to send packets
and the packets are going to drop
because they don't know where they're going.
Also, if you use smaller routers for this,
small routers don't have an internal time source.
Two workarounds for that
is you can tell them,
to use an NTP source
that's out on the network,
which is okay.
Or you could,
as my Cisco instructor said,
you could hook up a GPS
to the back of your router
and you would have a time source.
More than 10 sites.
After you get to about 10 sites,
typing in shared keys
for each different site
could be a little repetitive.
Your configs could be a little long.
You can then go to what's called TED.
And TED is an algorithm
that allows you to do
hundreds of sites
and everything is dynamic.
The configuration for that,
I could spend an hour on in slides
trying to show what you could do with TED
and how it actually works.
Hardware limits the amount of tunnels.
Particular routers that we have,
we can do 2,000 tunnels.
The 2620s, which just now
are capable of the encryption,
I think can handle like 50.
But the problem is
you get into speed problems
with how much bandwidth
can be pushed through those routers.
And then, of course,
a fully mesh design
would be even more complex
if you consider 10 sites.
So each of those 10 sites
would then have 10 sites and 10 sites.
So you'd have 40 pre-shared keys.
Obviously not the best thing in the world.
That's pretty much it.
In summary,
don't use the default blindly.
Deploy services that are needed.
Allow device management from anywhere.
Use clear or easy guess passwords.
Send important data in clear text.
And assume that you're not going to be hacked.
Do make sure that you secure
your network devices.
Use strong authentication.
Deploy firewalls on all internet connections.
Deploy some form of intrusion detection.
And make sure that you are logging.
These particular sources right here
are really good.
We have Cisco's
Improving Security on Cisco Routers
and Security Technical Tips.
And then these are more
of my personal sites
that I like to read
just for interesting.
Which, of course, is Infowar,
Insecure, Security Portal,
Security Focus, SANS,
and, of course, COAST.
That's it.
Thank you.
